Thanks - I've re-upped* that one here: Cybersecurity looks like proof of work now - https://news.ycombinator.com/item?id=47769089 (no comments yet)

* a la https://news.ycombinator.com/item?id=26998308

I have a feeling the real reason is them trying to avoid someone using AI to copyright-wash their product, they're just using security as the excuse.

This conclusion makes more sense to me, but maybe I'm too naive.

The media momentum of this threat really came with Mythos, which was like 2 or 3 weeks ago? That seems like a fairly short time to pivot your core principles like that. It sounds to me like they wanted to do this for other business related reasons, but now found an excuse they can sell to the public.

(I might be very wrong here)

I like that LLMs have basically switched to the weapons business model. Buy our LLM so that the bad guy we'll sell our LLM to doesnt destroy your code. As a bonus, we'll give you a little head start. And if you're a small company that can't afford our LLM, too bad.

This is an economically sound conclusion.

It also means that you need to extract enough value to cover the cost of said tokens, or reduce the economic benefit of finding exploits.

Reducing economic benefit largely comes down to reducing distribution (breadth) and reducing system privilege (depth).

One way to reduce distribution is to, raise the price.

Another is to make a worse product.

Naturally, less valuable software is not a desirable outcome. So either you reduce the cost of keeping open (by making closed), or increase the price to cover the cost of keeping open (which, again, also decreases distribution).

The economics of software are going to massively reconfigure in the coming years, open source most of all.

I suspect we'll see more 'open spec' software, with actual source generated on-demand (or near to it) by models. Then all the security and governance will happen at the model layer.

> to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them.

That can't be right, can it? Given stable software, the relative attack surface keeps shrinking. Mythos does not produce exploits. Should be defenders advantage, token wise, no?

I wonder if we could find a way to donate unused tokens or even local compute resources to open-source projects we support. Especially for security auditing where it could probably be somewhat more asynchronous and disconnected than the open-source developers' personal tool choices.

It's been a common wisdom now for decades that open source is more secure. Security is just a scapegoat here.

This seems similar to the lesson learned for cryptographic libraries where open source libraries vetted by experts become the most trusted.

Your average open source library isn’t going to get that scrutiny, though. It seems like it will result in consolidation around a few popular libraries in each category?

> to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them

This is true until certain point, unless the requirement / contract itself has loophole which the attacker can exploit it without limit. But I don't think this is the case.

Let's say, if someone found an loophole in sort() which can cause denial-of-service. The cause would be the implementation itself, not the contract of sorting. People + AI will figure it out and fix it eventually.

How may open source libraries have auditing budgets?

This may be true long term but not short term. It also assumes that white hats will be as motivated as black hats – not true.

For projects with NO WARRANTY, the risk is minimal, so yes there are upsides.

For a commercial project like cal.com, where a breach means massive liability, they don’t have the resources to risk breaches in the short term for potentially better software in the long term.

Security should be a non issue in the age of AI now that auditing is cheaper than ever.

I'd give them more credits if they use the AI slop unmaintainability argument.